Active Directory permissions for password-less logon
If you would like to use Windows domain accounts with public key authentication, or as backing accounts for virtual accounts; and if you do not wish to configure passwords for these domain accounts in the SSH Server's password cache; then you will need to ensure that the SSH Server has read permissions to user data in the Active Directory.
A default Active Directory installation may grant the necessary read permissions by default – for example, through the Active Directory group Pre-Windows 2000 Compatible Access. If default settings have been changed, a permissions issue might arise when trying to use domain accounts with password-less logon.
If the SSH Server's log files indicate permission-related issues when trying to use domain accounts with password-less logon, grant the necessary read permissions as follows:
On the Domain Controller, open Active Directory Users and Computers under Administrative Tools.
In the View menu, enable Advanced Features.
Right click on the Users container in the tree view. Click Properties.
In the Security tab of the new dialog, click Advanced.
In the Permissions tab of the Advanced Security Settings dialog, add the computer running Bitvise SSH Server:
Set Applies to to This object and all descendant objects.
Enable the permissions List contents and Read all properties.
These are recommended settings which are intended to be future-proof and easy to configure. However, it is possible to configure a more restricted alternative.
Alternative most restricted permissions
The most restricted Active Directory permissions that can be applied for the SSH Server to still function are as follows:
Right click on the Users container in the tree view. Click Properties.
In the Security tab of the new dialog, click Advanced.
In the Permissions tab of the Advanced Security Settings dialog, add the computer running Bitvise SSH Server:
Set Applies to to This object only.
Enable the permission List contents.
Continuing in the Permissions tab, add another entry for the computer running Bitvise SSH Server:
Set Applies to to Descendant User objects.
Enable the permissions:
- Read account restrictions
- Read general information
- Read logon information
- Read public information
- Read remote access information
Restricting permissions in this manner is not recommended because:
Future SSH Server versions might require additional permissions for password-less logon.
An SSH Server instance may be configured to automatically update to such a version in the administrator's absence.
If the SSH Server is not updated, it may instead be exposed to a vulnerability that has been discovered and fixed.